Beyond the Perimeter: Implementing Zero Trust IAM in Hybrid & Multi-Cloud Realities

Modern environments rely on cloud platforms, SaaS applications, and hybrid infrastructures, making network boundaries obsolete. Identity provides the most consistent control point across all services, applications, and environments. 

Identity sprawl occurs when users and systems accumulate multiple accounts across disconnected platforms. This creates blind spots, inconsistent policy enforcement, credential duplication, and increased attack surface—often leading to poor identity hygiene. 

Automation, microservices, DevOps tooling, and AI agents rely on machine identities that now outnumber humans by 82:1. These accounts often lack proper governance, naming conventions, rotation practices, or monitoring, making them prime vectors for exploitation. 

Zero Trust IAM unifies identity stores, enforces strict authentication, verifies access continuously, and removes implicit trust between systems. This reduces lateral movement, minimizes privilege misuse, and strengthens end-to-end access control. 

Organizations can start by inventorying all identities (human and non-human), consolidating identity platforms, enforcing MFA and strong authentication, segmenting access, automating privilege governance, and applying continuous verification policies. 

Please view video here for a time-stamped transcript

Hi everyone, welcome to Beyond the Perimeter.

I think this session’s a great title.

It’s a great title for a movie, but uh in this session we’re not gonna be talking about
anything in a movie.

We’re gonna be talking about your IAM system and talking about how Zero Trust can help you
secure your IAM systems and make your networks more secure.

Just some key objectives that we’re going to cover during this presentation.

We’re going to talk about why identity is now the new security perimeter.

We’re also going to cover any core zero trust IAM principles that we think matter most to
your identity and access management system.

And we’re going to talk about some strategies that we can implement to unify and harden
and verify access in your identity and access management system.

Also at the end, I’m going to have a roadmap that you can use that hopefully provides you
practical advice and practical steps that you can take to implement Zero Trust for your

IAM system and really helps you get started and have some early success, maybe even next
week as you think about your Zero Trust projects.

My name is Ron Robbins and I’m a Senior Product Manager here at Commvault and I work in
the Identity Resilience area and I get to help customers

solve their identity resilience challenges in their organization.

Let’s go ahead and jump into it.

The one thing that I think that I learned most of all in preparing for this presentation,
and I think the one thing that is most important to remember in this presentation is that

identity is the new perimeter.

Our security used to only exist at the firewall, right?

We were used to traditional network models where

we set up firewalls, we set up VPNs, and we consider our network or our data center
protected by those firewalls and VPNs.

That’s no longer the case.

You know, we’ve added new workloads, new SaaS applications.

We’ve added new cloud platforms to our environment.

And so as John Hawley put it ah in a 2012 CSO Magazine article, he said that our data
centers are becoming highly fragmented.

They’re oozing around the comfortable security perimeter of firewalls and VPNs, which I
think is just a great image to think about and to think about the situation that we’re all

in today, that we no longer have this traditional network that’s on-premise where we’re
protected by a firewall and VPN.

But we’ve extended much further past that.

For example, most of us are in this hybrid situation where we have an on-premise

solution and we also have many cloud platforms that maybe we deal with.

uh Our IM deployments really challenged by that and Geoff Cairns brings this up in an
article he wrote announcing the Forrester wave.

He says that today’s IM deployments are characterized by identity sprawl, multiple user
accounts and credentials across siloed systems and we have poor identity hygiene as a

result.

And we really, it’s something that we have to get under control and it’s something that’s
growing day by day.

Also, if you add in the problem of a genetic AI into the equation, you see this explosion
of what we call non-human identity or NHI.

CyberArk in 2025 in a landscape study found that their machine identities that they
surveyed from customers.

They outnumber human identities now by a staggering 82 to one margin, which is amazing to
think about.

The number of agents that use those identities and the number of service accounts that use
the identities.

You we used to have this idea of our network of one identity per one person.

And we used to manage just those small number of identities.

And now we have thousands and thousands of service accounts that we have to go out and
manage

with names like service account 01, service account 02, and it just becomes a really huge
problem for us, a really huge problem to manage that explosion of identities and have

hygiene across that whole environment.

So now more than ever, I really think that we need some type of zero trust strategy for
our IAM environment.

So let’s define a little bit more about what the hybrid and multi-cloud challenge looks
like.

How many of you guys, I wonder, have a multi-cloud strategy?

If you guys were only on AWS, recent news might have shown you that a multi-cloud strategy
is something that you might need to adopt, where you need to have applications located

across multiple platforms, across multiple clouds, or at least have failover between
clouds, if you could.

So we add these cloud platforms into our organization to provide resilience.

And then we discovered that each of these cloud platforms that we had to have organization
have their own IAM systems.

And those IAM systems each have their own language.

Like if you looked at Active Directory, for example, and you look at adding a role into
Active Directory, it’s totally different than adding a role into AWS IAM.

I mean, there’s some concepts that are similar, right?

But the language and the process you go about in Active Directory and that you go about in
AWS IAM

are two totally different things.

I mean, AWS IAM is more like a scripted language for accessing a role or adding a role to
it than it is an active directory.

And so when you look beyond the UI, it’s a lot more complex and it’s not consistent
amongst IAM systems.

And so it creates quite a problem for us when we want to enforce things, we want to apply
consistent policies across platforms and across applications.

Also, mergers and acquisitions contribute to the problem.

So we have constantly, mergers and acquisitions or new companies coming into our
organization that might have their own account accounts and they might have their own

accounts that we need to manage.

And they might bring with them identity hygiene problems that we didn’t even consider
before.

I used to work for an organization and by the way, I’m going to keep names out of this to
make sure the guilty are protected.

But I used to work for an organization that had a lot of merger and acquisition activity.

And we went through a zero trust audit and we discovered that there were a lot of cloud
accounts that were just not managed, that we just didn’t account for because of the number

of acquisitions that had occurred over the last year.

We discovered we had 12 cloud accounts that we didn’t even know existed.

And within each one of those 12 cloud accounts, we had admin accounts that were unique

for one individual user.

So one individual user might’ve had 12 different admin accounts across all of these 12
cloud platforms.

And so it created quite a problem for us.

And also when these users would leave, it created a lot of orphaned accounts.

So there were orphaned admin accounts, which is really something you don’t wanna have in
your organization.

So identity hygiene becomes quite a problem when you start to consider

the amount of cloud platforms you add into the equation, and the amount of SaaS
applications you add into the equation.

So more than ever, we need some type of strategy around our identity systems.

And I think that there’s certain principles from Zero Trust that we can apply to our IAM
systems to make things safer, to make things more secure.

The first is never trust and always verify.

Every single user, every single device,

every single thing that accesses your network, you need to make sure it proves itself.

You need to make sure it proves its identity and it proves that it’s a trustworthy thing
that can access and perform functions in your network.

Also, you need to implement this idea of least privilege for your identities.

So users should only be given enough access to perform a task or their job function and
nothing more.

So if they have access to anything more that’s outside of their job function,

they’re an overprivileged account.

And imagine what could happen if a bad actor obtained that account and was able to log in
and perform functions that they’re not supposed to do in your organization.

Also, you need strong authentication and MFA everywhere if you don’t already have it.

Authentication consists of three things.

It consists of something you know and something you have and something you are.

So it’s important that strong authentication include all three of those things or at least
two of those things if you can’t do all three at this point in time in your network.

It’s very important.

Access decisions need to be based on context and posture.

What does this mean?

So let’s say that we have a person accessing the network and they have a laptop and they
logged in somewhere in the New Jersey area.

And then they started doing things on the network and all of a sudden, five minutes later,

they start their IP address of their machine changes to an IP address that’s maybe located
out in California, and they start doing things in the network from California.

Well, there’s no way that that person could have traveled across the country in five
minutes.

It’s impossible travel.

And it’s something that if you detect it in that session, you would either want to end
that session or you want to re-authenticate them to make sure they still are the person

that they said they were when they authenticated.

And so checking device posture

checking context is extremely important.

And then also continuous verification goes right along with that.

Making sure that the person that you authenticated once continues to exhibit trust
throughout the whole session.

So if they start to do risky behaviors, if they start to access accounts they’re not
allowed to access, if they start to delete or do destructive actions, you want to make

sure that you re-verify them or

that you end the session if it’s something that’s at risk.

Another great thing about zero trust is that you should always assume breach or have this
assumed breach mindset, right?

You should build your network like there’s already bad actors inside of it.

And I think what would be a challenging exercise or maybe a fun exercise for some of you
that like to be investigators uh to go out and assume that somebody’s already breached

your network every day.

Go out and audit sessions, go out and look at users actions, go out and

figure out if somebody’s doing something bad in your network every day and try to catch
bad actors while they’re at it.

If you always assume breach, you’re gonna always be cautious, you’re always gonna take
precautions, and you’re always gonna monitor the things that are happening in your network

and in your identity systems.

So what are some strategies we can use to implement some of these zero trust policies?

Well, the first thing I think we can do is we can unify identity, authentication, and
access.

And what do I mean by that?

So, um

with all these cloud platforms, with all these SaaS applications that we’ve implemented,
we have these silos of identity.

I like to call them identity islands, just these islands of identity that exist out there.

And the easiest thing to do to bring them all under control is to break down the silos or
break down the divides between all these identity islands and bring them all together.

Establish a single source of truth for your identity.

Sometimes in most organizations that can be an HR system when people on board and they
enter their details into the HR system.

That might be the single source of truth and that might be where you create accounts from.

It might also be identity as a service system like let’s say an entra AD or a ping or an
octa, something like that.

The main point here is to get down to one identity per user.

It’s so much easier to manage users and manage identity if you have one identity per user.

And also it’s easier to federate that identity across multiple systems and across multiple
services if you have one identity per user.

And that’s the next step.

That’s what you need to do is federate that identity.

I’ve got a good example from a previous organization I worked with.

I promise it won’t be the same organization, but again, it’s an anonymous organization.

But we deployed an FTP service.

That FTP service couldn’t be federated

with our typical Federation strategy that we had.

And so it had its own identity store.

It also had its own MFA component.

We weren’t really good at the time at having Federation between our corporate environment
and our cloud environment.

So a person that wanted to access this cloud FTP service had to first log into the
corporate VPN using a user account and a username and then an MFA challenge.

And then they had to log into our cloud platform

using a corporate user account and a username and password and an MFA challenge.

And then they would have to log into the FTP service using a username and password and an
MFA challenge.

And so all of those things were named the same.

So whenever they called into the help desk and had a problem with their identity or had a
problem with one of their MFA accounts, we couldn’t tell which one it was.

We basically.

had to guess and figure out which one they have problems with, and they weren’t able to
easily articulate to us which one it was.

So sometimes their problems would get resolved, sometimes they wouldn’t, and really had no
idea where the identity issues were with that particular system.

So it’s very important to somehow get to that one identity per user.

Also, it makes it much easier to unify policy and role-based access models across
platforms if you have one identity.

And then also when you get to automating life cycle provisioning and governance over your
users, much, much easier with one identity and a consolidated identity landscape.

So let’s talk next about hardening privileged access.

This is also very important.

One of the things that you need to do is treat your admins as the highest risk identities
in your organization.

They are the most dangerous accounts and they’re the ones that are most

reached for in the case of a breach.

They’re the ones that are most valuable to bad actors, right?

No one person in your organization should have elevated permissions all of the time.

No admin should have elevated permissions all of time.

They just don’t need it.

They don’t need it to surf the web or to read the news on what’s going on in the world.

You need to force some type of just-in-time privileged elevation

where admins only receive elevated accounts for the period of time that they need to
perform the action that they want to perform.

If you do this in combination with the principle of zero trust, you’re going to have an
admin account that only has access for a period of time to do what it needs to do.

And it’s only going to have access to perform that specific function that we’ve limited
them to perform.

So it makes your admin accounts much more secure.

You should also define some type of monitored break glass accounts.

I’ve got a great story for this.

I wonder, just ask yourself, how many of you out there have a Bob in your environment?

I mean, you know this guy, you know Bob.

Bob is this guy that is the only person that can access this one server that’s dusty and
stored in an old um wiring closet somewhere on-prem in your organization

and he’s the only one that can log into it.

And if Bob ever left the organization or if Bob ever, heaven forbid, happened to die, you
would lose access to that server.

You would no longer be able to log into it.

You’d no longer be able to do backups and restores.

You’d no longer be able to update it.

And Bob knows this, and Bob knows he’s very valuable.

And so you want to make sure that you eliminate the types of Bobs from your environment.

You want to have break glass accounts that you can implement, that you can call upon when
needed, should the unthinkable happen, should disaster happen, and accounts that are

monitored sessions and controlled, accounts that you can check out and check in to perform
the most elevated actions, like maybe root access in a cloud account that you might own.

Another important thing to hard and privilege access is to require dual approvals for high
impact actions.

What do I mean by this?

Let’s say that you have an admin that needs to log in and modify 50 accounts.

They never do that usually, but you know, that’s a very high impact action.

That’s a very destructive action if they monitored 50, you know, if they managed 50
accounts at one time and made a change that was impactful to your organization.

You want to be able to have some type of mechanism in place where dual authentication or
dual approvals is required for that specific action so that when Bob makes that change,

he has to get approval from somebody else, maybe someone higher up in the organization
would have to approve that action also.

And so that’s very important.

If a bad actor got a hold of Bob’s account or a hold of anybody’s account, listen, I just
pick on Bob, they would need to have a second account to be able to perform those

destructive or high impact actions.

And then also every privilege session, every admin session, you need to make sure that all
of those are recorded.

Make sure that all of those are monitored and all of those are audited.

And then let your people know that those are audited and recorded.

I find that admins are a lot more careful if they know their actions are being watched.

They’re a lot more careful not to make mistakes and a lot more careful not to engage in
behavior that they shouldn’t engage in uh if they know that their sessions are being

monitored and their sessions are being audited.

So I think those are important things to hardening privilege access.

Then let’s add in continuous verification.

So continuous verification is kind of like zero trust, but it’s zero trust in real time.

What we’re doing is we’re continuously validating users and whether or not they have the
access to do what they need to do.

You know, it’s very important to remember that just because the very first time we
authenticate a user doesn’t mean that they’re trusted throughout the entire time they’re

online or the entire time they have a session.

Session tokens

can be stolen and sessions can be hijacked and those can be taken over and risky actions
can be performed by bad actors.

So it’s important to continuously validate what the user’s doing in their session and look
at device posture.

If the device that’s accessing the session is a corporate device or if it’s something
that, you know, is their personal device that might be introducing malware into your

network, it’s very important to keep track of.

You need to have some type of step-up authentication for risky actions.

So if someone goes in and they want to elevate their permissions or they want to create an
admin account, there should be some type of step-up authentication.

A good example of this is like when you log into your bank, for example, when you go to
your bank and you sign in with your username and password and possibly MFA if you’re in a

good bank, and you go to, just monitor your account or look at your transactions

but then you want to transfer a large sum of money over to another account that you just
never do.

The bank might prompt you for additional MFA or they might send you an email and say, hey,
enter in the code that we just sent you by email so you can confirm this transaction.

That’s an example of step up authentication.

And it’s something that’s easy to implement for your organization and easy implement for
risky actions.

You need to monitor sessions for anomalies.

Make sure that if there’s any anomalies that occur in a session, that you re-authenticate
the user.

So if a user doesn’t usually access finance data in SharePoint and they start to access
that or start to request access for it, maybe it’s time to re-authenticate or examine that

session and make sure it’s something that’s still valid for the user.

Also, you should adjust the risk dynamically based on the risk

or based on what they’re doing.

So let’s say for example, we talked about uh impossible travel.

Well, let’s say for example, someone in their session starts performing risky actions at 2
a.m.

in the morning, when their normal job hours are nine to five.

Well, you might want to make sure that that person’s session has not been hijacked or
their token hasn’t been stolen and reused somewhere else from someone overseas or someone

that uh is trying to do bad things within your network.

You need to detect or have a method or a way to detect and cut off compromised sessions
immediately once you detect that there’s a risk involved or once you detect that there’s

bad actors involved.

Okay, now with the strategy out of the way, let’s talk about just some practical things
you could do right away in your organization to implement zero trust for your IAM systems.

I know that these aren’t going to apply to every single organization.

I’ve tried to make this high level and practical.

But these are some things that you can think about and I hope they give you ideas of how
you can win in your organization and implement some of the zero trust policies in your

organization.

So the first 30 days, I think some of the great things to focus on are like enforcing MFA
everywhere.

If you don’t have the MFA today, this is a really quick win.

If you can get an MFA system in your organization, something that challenges users with a
code, or if you have MFA everywhere, maybe it’s something that

you want to move to like a phishing resistant MFA with like a FIDO2 standard or something
along those lines.

That’s also something great that’s an easy win to do in your organization and something
that makes your accounts much safer.

Also start mapping out your identity silos.

Determine where all your identities are located, what islands are they located on, where
your cloud apps at, what cloud platforms are you using and what identity silos are located

within those.

Try and find out where everything is and do a very thorough discovery.

Then you wanna lock down your admin accounts and your service accounts.

This is something that can be done from day one.

Make them safer, however you do it, even if it’s just minimally.

You know, start by little incremental ways to make those admin accounts safer and not let
somebody have privilege all the time to do things within your organization.

First 30 days, it’s important to grab wins.

It’s important to justify

why this Zero Trust project is important.

Next 90 days, work on building out consistency.

Begin your identity consolidation plan.

Begin to execute an identity consolidation.

Combine all your identity islands, combine your silos.

Make sure that you can get to one identity per person.

Define what your policy framework’s gonna look like.

Even if you don’t implement it yet, it’s important to start defining it, along with your
lifecycle management.

What’s your life cycle process gonna look like?

How do users onboard into your organization?

How do they off board?

How do you handle those leavers that happen in your organization?

How do you delete their accounts?

It’s important to define that upfront so that as you mature down the way you can implement
automation.

Also, implement device posture.

If you don’t have this already, it’s important to examine your devices and make sure
they’re trustworthy and make sure that people that are using them

have trustworthy devices that are maybe on a corporate image or something that is a
certain standard for the corporation, and mark those devices as risky if they don’t meet

up to the standard.

And then establish those break class accounts.

We don’t want Bob to die, we don’t want Bob to leave the organization, and we don’t want
to lose access to that server in the dusty closet that only Bob has access to.

So make sure you have those break class accounts established pretty quickly.

And then work towards maturity long term.

Expand your consolidation.

Make sure you get to that single source of truth, whether it be the ER system or some kind
of IDAS system.

Move to a more advanced form of authentication.

This might be passwordless authentication for you based on something like FIDO2.

I really love authentication.

I could talk a whole 30 minutes about just that.

But passwordless authentication is something your users will really enjoy and something
that I think makes you a lot more secure.

Passwords are just not a secure method of authenticating the user.

Make sure you add behavioral monitoring to your verification or your continuous
verification.

So I mentioned, behavior like accessing the network at 2 a.m.

when normally you work a 9 to 5 job.

That’s one example of behavioral monitoring that you can add to your sessions that makes
you more safe.

Add automation to your lifecycle governance and your lifecycle

your identity lifecycle.

So when a user joins the organization, they’re giving the access they need right away.

And when they leave the organization, they completely lose the access that they had so
that you can make sure that you don’t have orphaned accounts and that you can protect your

network.

And then apply your policies as code for consistent enforcement.

Treat your policies as code.

Have a policy repository, so to speak.

Make sure that you test your policies from time to time.

Make sure that you have version control on your policies and make sure that they’re kind
of treated like code and checked in and checked out when they’re modified.

So I hope that provided you enough information to figure out how to implement a zero trust
policy for your IAM systems and really make your network more safe.

A couple of things I want you to remember about this session.

I want you to remember it’s important to improve your identity hygiene.

Identities are exploding,

identities in New Perimeter, and make sure that you have a plan in place that just makes
some improvements, whether it’s consolidation, cleaning up those silos and those identity

islands, or whether it’s just applying consistent policies and practices across your
organization.

Always try to implement something that’s gonna give you the upper hand, should a bad actor
obtain one of your identities.

And one thing that’s really important to remember from this whole presentation is that,

trust isn’t something that you provide one time when the user authenticates.

It’s something that should be continually verified and verified by their actions and
verified by, you know, what they’re doing in your organization.

And so it should be something that’s continually watched.

So I hope this was helpful for you.

If there’s some next steps that I could recommend that you take, a couple of these would
be to watch an on-demand podcast.

We have a podcast or a webcast that talks about Active Directory Identity Resilience.

a great webcast and something I’d recommend that you watch.

And also you can learn about cyber resilience and how Commvault helps with cyber
resilience by signing up for a cyber resilience workshop or taking a cyber resilience

readiness, and the links are there on the screen for you to access those.

I want to thank you so much for your time today and I want to thank you for your
attention.

And I really hope that this helps you with your journey towards zero trust for your IM
systems down the road.

Thank you so much for your attendance today and thank you so much for attending.